In the first part of this article, we discussed how to secure WHM/cPanel login, as well as SSH network protocols. Now, let's see how to secure other services, such as FTP, an Apache HTTP server and outgoing e-mail server (SMTP).
The FTP (File Transfer Protocol) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network. However, this protocol does not encrypt the data, so it is strongly recommended to avoid it. FTPS (File Transfer Protocol Secure) should be used instead. It uses SSL or TLS connection to encrypt the username and password, as well as the data. The protocol for file transfer is selected in FTP clients (e.g. FileZilla) and should be set to "Require explicit FTP over TLS". On the server side, we should configure the FTP server to deny insecure connections. Go to FTP server configuration in WHM and set TLS encryption support to "Required (Command/Data).
There are two types of FTP server software: ProFTPD and Pure-FTPD. Use Pure-FTPD, as it is faster, more memory-efficient and can be protected from brute-force attacks by enabling cPHulk or Fail2ban.
Change default port
The default FTP port is 21. This is where the attackers would first try to find any vulnerability. It is good practice to change the default port to a non-standard one. Pick a port that is not used by any service (here is the list of TCP and UDP system ports). After that, open /etc/pure-ftpd.conf and find the following line:
# Bind 127.0.0.1,21
Change 21 to the number you have chosen as your new FTP port number. Save the file and restart your FTP server.
When using HTTPS, all communication between your server and the user is encrypted, thus preventing eavesdropping. For additional security, you could get an SSL certificate.
Jail Apache users
The Apache should be configured in a way that a user cannot see other users' processes or files. This can be done by either enabling "Jail Apache" in tweak settings in WHM and setting users' shell access to jailed shell. This can also be achieved using software, such as CageFS.
Enable symlink protection
One of the common Apache vulnerabilities is symlink race condition vulnerability. If you enable both the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, a malicious user would be able to serve files from anywhere on a server, regardless of file permissions. Here is a list of possible solutions along with their upsides and downsides.
Hide Apache version on error pages
By default, Apache error pages would include the Apache version, OS name and even the information about Apache modules installed on your server. It is advised to hide this information for security purposes:
# vim /etc/httpd/conf/httpd.conf
Find the following lines and change them to look like this:
Save the file and restart Apache.
Disable directory listing
Another default Apache option is to list the contents of a directory when there is no index file. To disable this, open httpd.conf:
# vim /etc/httpd/conf/httpd.conf
Add the following code:
Save the file and restart Apache.
Mod_security is an Apache module that provides many security features — it acts like a firewall, monitors traffic and prevents brute-force attacks. It can be installed via yum by running the following command:
# yum install mod_security
Mod_evasive is an Apache module that protects the server against DoS and DDoS attacks. It detects attacks via the following three methods:
- If a certain number of requests come to the same page in a few times per second.
- If any child process trying to make more than 50 concurrent requests.
- If any IP is still trying to make new requests when it's temporarily blacklisted.
Mod_evasive can be also installed via yum package manager.
Disable Server side includes and CGI
Server Side Includes (SSI) and CGI scripts can be extremely dangerous if not carefully checked. It is a good idea to completely disable them and only enable them if needed on a case-by-case basis. Open httpd.conf and add the following code:
<Directory "/home ">
Options -Includes -ExecCGI
Note that you must specify a directory in which SSI and CGI are blocked.
DDoS attack protection
Although the best tools against the DoS and DDoS attacks would be network-level tools (such as software or hardware firewalls and other OS configurations), there are a number of Apache configuration settings that can help mitigate problems (according to Apache security tips):
- The RequestReadTimeout directive allows you to limit the time a client may take to send the request.
- The TimeOut directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As TimeOut is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.
- The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
- The values of various timeout-related directives provided by other modules should be checked.
- The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.
- On operating systems that support it, make sure that you use the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
- Tune the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections without running out of resources.
Require SSL connection
Forcing clients to connect with SSL would significantly improve the e-mail security by preventing eavesdropping of usernames and passwords. This can be configured through WHM in the Exim configuration manager. Also, "Allow weak SSL/TLS ciphers" should be turned off.
Prevent dictionary attacks
Dictionary attacks are a type of brute-force attack where the malicious user tries to guess the correct username and password by testing the possible combinations using a pre-made word list. SMTP servers can be attacked using this type of attack, so it is important to protect it. In WHM in Exim configuration manager, set "Dictionary attack protection" to on. That will block or rate limit hosts with more than 4 failed login attempts.
Limit hourly number of e-mails per domain
This is a popular technique to prevent SPAM e-mails. It can be configured in Tweak settings in WHM and represents the maximum number of e-mails that each domain can send in an hour. On shared hosting accounts, the limit is usually 200 per hour.
DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a blacklist of IP addresses on the internet known for sending SPAM e-mails. The most popular DNSBL servers are SpamCop and Spamhaus and can be directly turned on through WHM.
New threats emerge all the time, but if you follow these best practices, your Web servers should be secure — at least for now.